Hackers steal data from compromised Barnes & Noble payment terminals

Criminal hackers planted malicious code in payment card keypads used at 63 Barnes & Noble stores across the United States and siphoned account data belonging to people who used them, company officials have warned.

The tampering, which first came to light on September 14, was limited to one hacked keypad in 63 stores located in California, New York, and seven other states, according to a press release published on Wednesday morning. The "sophisticated criminal effort" captured payment card and personal identification numbers of people who used the terminals, and some of that data has been used to make unauthorized purchases, according toThe New York Times.

The company emphasized that its customer database is secure and that the breach had no effect on purchases made through the Barnes & Noble website. The security of Nook and Nook mobile apps is also unaffected.

Company officials removed all keypads from its almost 700 stores after discovering the tampering. An investigation revealed that only 63 of them had been hacked, each one from a different store. The data theft involved only transactions in which a customer used one of the compromised devices to make a payment card purchase. At the request of federal officials, company officials kept the breach quiet pending an investigation, the NYT also reported.

As a precaution, the company is recommending that all employees or customers who used a payment card at any Barnes & Noble store change their debit card PIN and review their accounts for any unauthorized transactions. Other states with affected stores included Connecticut, Florida, Illinois, Massachusetts, New Jersey, Pennsylvania, and Rhode Island.

It would have to be an inside job if it's those swipe terminals right by the register.

I'm thinking about the scenario in which no one thinks to question the guy who shows up appropriately dressed, carrying a tool kit and a clip board, has an air of confidence and authority about him, and says, "I'm here to repair/upgrade your [whatever]." Not exactly an inside job unless you point to the employee who didn't question the guy. And if 'appropriately dressed' includes a company name or logo, there ya go.

I understand it's important to catch the people doing this but their first priority should have been to tell customers immediately that their information may have been compromised rather than wait for the investigation to play out. It's better to prevent unauthorized purchases before they happen or catch them immediately after but people don't pay attention to their bank accounts every single day. At a minimum a company should alert it's customers the instant a breach has been discovered and possibly even pay for mitigation strategies.

Is there no industry standards for securing customer data or detection and prevention of POS device tampering? If industry hasn't come up with useful standards yet maybe it's time the government step in and start laying out a framework.

Not necessarily an inside job. Depends upon the software. If it has known flaws, all you need to do is upload an exploit to it. Upload an auto-executing program to the POS terminal itself (remember, most of these *are* PCs at the heart of it, with USB ports and more) while distracting the terminal tender. Or if it's connected to the internet and shares the same network as a public (or private) Wifi spot in the store, get in there and execute a local attack.

I can't fathom how this was allowed to happen. With regards to the guy above claiming it could have been a guy in a uniform....people get suspicious if you claim you're there to upgrade something but leave after messing with a single unit, and people get suspicious if you claim you're there to repair something that is clearly not broken.

Either way this should have been stopped before it even happened. The article says they were "hacked" but if it was purely a software thing then those stupid little Verifone pads have no security. If it was a hardware hack, someone should have been suspicious at the guy nobody has ever seen before messing with a single pay terminal.

I'm curious also. Was it as simple as a sleeve like we have seen from previous ATM/Gas Pump pin stealing. Or was this some sort of code they were able to install on the pin pads? If code, how did they install it? Can you install code on these pads by swiping a modified hotel style mag-stripe card?

How did the hackers retrieve the data? If a hardware similar to the ATM/Gas Pump hacks, probably over wifi, but if it was code, did they have access to the B&N network to send it out? The security enthusiast in me is very curious.

I can't fathom how this was allowed to happen. With regards to the guy above claiming it could have been a guy in a uniform....people get suspicious if you claim you're there to upgrade something but leave after messing with a single unit, and people get suspicious if you claim you're there to repair something that is clearly not broken.

Either way this should have been stopped before it even happened. The article says they were "hacked" but if it was purely a software thing then those stupid little Verifone pads have no security. If it was a hardware hack, someone should have been suspicious at the guy nobody has ever seen before messing with a single pay terminal.

As someone who works for a payment terminal manufacturer, I can assure you those pads have more security than you think they do. And I totally agree with you on the hardware side, they should have gotten suspicious unless perhaps they were told it would spread to the rest or some nonsense like that.

BTW, the computer based POS Terminal usually does not actually ever "see" the card data. It should never be exposed like that, it should be kept inside the actual terminal.

I understand it's important to catch the people doing this but their first priority should have been to tell customers immediately that their information may have been compromised rather than wait for the investigation to play out.

I think you are overestimating the paranoia of management at these stores. It would be easy enough to show up to "repair" a unit, or come in as the cleaning crew, and swap out the unit after hours.Maybe have a two-person crew. One person "breaks" the pas (yank on the cable while the teller is distracted), and the 2nd person comes in to repair the unit.

I can't fathom how this was allowed to happen. With regards to the guy above claiming it could have been a guy in a uniform....people get suspicious if you claim you're there to upgrade something but leave after messing with a single unit, and people get suspicious if you claim you're there to repair something that is clearly not broken.

Either way this should have been stopped before it even happened. The article says they were "hacked" but if it was purely a software thing then those stupid little Verifone pads have no security. If it was a hardware hack, someone should have been suspicious at the guy nobody has ever seen before messing with a single pay terminal.

As someone who works for a payment terminal manufacturer, I can assure you those pads have more security than you think they do. And I totally agree with you on the hardware side, they should have gotten suspicious unless perhaps they were told it would spread to the rest or some nonsense like that.

BTW, the computer based POS Terminal usually does not actually ever "see" the card data. It should never be exposed like that, it should be kept inside the actual terminal.

With all due respect to anyone who works there, a Barnes & Noble sales floor is hardly a high security think tank, where suspicion and paranoia are the prevailing mindset. I think you're overestimating people in general, and particularly the employees in such an environment. Higher end than at a big box retail outlet or convenience store, maybe, but still observably human. Sure they should be suspicious of any such activity but, realistically, would they be? I don't know how it happened but would not be in the least surprised if it were along the lines of the scenario I outlined. I could be dead wrong, a frequent state of affairs with me, but I'd like to know.

"The tampering, which first came to light on September 14, was limited to one hacked keypad in 63 stores located in California, New York, and seven other states, according to a press release published on Wednesday morning."

That one keypad sure gets around.

(yes, I know it was 63 keypads, but the sentence is written so poorly)

I know customers using credit cards will be fairly well insulated from any actual losses, but I wonder how people that used gift cards will be affected. Hopefully not? For people using a gift- or prepaid- store cards you'd have a harder time proving the fraudulent withdrawals, right? Just another reason to avoid them if true.

Also, it would be pretty easy to access these terminals. Barnes & Noble (and other similar shops) stack loads of small merchandise up at the counter that could be used to 'screen' what you are doing. I know I've been standing at a register before when no cashiers were present, waiting for one. I'm sure I was on camera but I could easily have accessed a POS terminal or reached over to the register if I wanted. It's not like you are at a bank with drawers full of cash, it's a bookstore and security is lower.

I'm curious also. Was it as simple as a sleeve like we have seen from previous ATM/Gas Pump pin stealing. Or was this some sort of code they were able to install on the pin pads? If code, how did they install it? Can you install code on these pads by swiping a modified hotel style mag-stripe card?

How did the hackers retrieve the data? If a hardware similar to the ATM/Gas Pump hacks, probably over wifi, but if it was code, did they have access to the B&N network to send it out? The security enthusiast in me is very curious.

No you can not install code on the pads by swiping a mag stripe card (at least on ours you can't)

With all due respect to anyone who works there, a Barnes & Noble sales floor is hardly a high security think tank, where suspicion and paranoia are the prevailing mindset. I think you're overestimating people in general, and particularly the employees in such an environment.

With all due respect, this is naive perspective on retail employees. Why should a bookseller care if the card swipers get hacked? They've got plenty of other things to worry about that will result in immediate financial penalties (i.e. getting fired or hours cut) if they don't stay on top of them. Being intelligent, they focus on those things, not the unlikely scenario of someone social engineering a card swiper scam. Even employees who focus too much on preventing shoplifting, a far more common event, over customer service get chastised by management. If you're a retail employee, your default state is one where you have far more things to do than you have time to do them. Worrying about unlikely events, even adverse ones, is counterproductive.

With all due respect to anyone who works there, a Barnes & Noble sales floor is hardly a high security think tank, where suspicion and paranoia are the prevailing mindset. I think you're overestimating people in general, and particularly the employees in such an environment.

With all due respect, this is naive perspective on retail employees. Why should a bookseller care if the card swipers get hacked? They've got plenty of other things to worry about that will result in immediate financial penalties (i.e. getting fired or hours cut) if they don't stay on top of them. Being intelligent, they focus on those things, not the unlikely scenario of someone social engineering a card swiper scam. Even employees who focus too much on preventing shoplifting, a far more common event, over customer service get chastised by management. If you're a retail employee, your default state is one where you have far more things to do than you have time to do them. Worrying about unlikely events, even adverse ones, is counterproductive.

Unfortunately, I agree with your assessment. Especially after having spent time working in a retail environment. It probably wouldn't have been difficult to maneuver yourself into "working" on the terminal. Especially since it could be done from the customer side of the counter with a laptop. (again, if it was an actual hardware load that was done)

I wish they mentioned an idea of when this started - it just states that the affected pads were turned off on Sept. 14th. While I haven't made a purchase at a B&N in recent months, I have been to one of the affected stores in probably the past 4-6 months. I'd bet the problem doesn't go that far back, that those responsible started using the captured information within weeks of gathering it, but still.

With all due respect to anyone who works there, a Barnes & Noble sales floor is hardly a high security think tank, where suspicion and paranoia are the prevailing mindset. I think you're overestimating people in general, and particularly the employees in such an environment.

With all due respect, this is naive perspective on retail employees. Why should a bookseller care if the card swipers get hacked? They've got plenty of other things to worry about that will result in immediate financial penalties (i.e. getting fired or hours cut) if they don't stay on top of them. Being intelligent, they focus on those things, not the unlikely scenario of someone social engineering a card swiper scam. Even employees who focus too much on preventing shoplifting, a far more common event, over customer service get chastised by management. If you're a retail employee, your default state is one where you have far more things to do than you have time to do them. Worrying about unlikely events, even adverse ones, is counterproductive.

hazel-rah, you seem to be exactly agreeing with ColinABQ. He's implying that the employees don't have a IT security-focused mindset and are more concerned about other things. I think you may have misread something he wrote, unless I'm, in turn, misreading your antagonistic response.

hazel-rah, you seem to be exactly agreeing with ColinABQ. He's implying that the employees don't have a IT security-focused mindset and are more concerned about other things. I think you may have misread something he wrote, unless I'm, in turn, misreading your antagonistic response.

Not meant antagonistically, and my apologies for coming across that way... I will admit the phrases "hardly a high security think tank" and "overestimating people in general" came across as condescending to me, and they probably weren't meant to sound so. So I'll elaborate where I'm coming from a little... people naturally think of this in terms of a personal narrative and focus on how particular employees behaved, and think "how can this have got past them?" or "how could this have happened?"

But you have hundreds of stores, and massive amounts of money going through those swipers. This type of breach is going to happen, and when it does, it's not helpful to think of it as a discrete occurrence and analyze it at that level. I would be wary even describing it as a systemic failure... there are practical limits to security in a retail environment, and you've got to find a threshold where you are using your resources to minimize this kind of thing, since you can't prevent it entirely.

It's odd to me that people assume that all parties involved- the B&N corporation, the manufacturers of the swipers, the banks, and even the employees to some degree- haven't already given this issue a serious amount of consideration and taken steps to minimize this sort of occurrence. They have. And yes, I think front line employees bear the brunt of the blame when individuals suffer from this type of thing. Both in the public's eye and also within the company. But everyone enjoys the benefits of a relatively free-and-easy retail purchasing system, and it's not fair to even imply that retail employees are at fault when criminals take advantage of the system.

The whole thing seems very similar to the public reaction to the Benghazi attack... there's a system with many benefits but an irreducible amount of risk, and everyone passively enjoys the benefits and then looks for a person to blame when something unpleasant but systemically quite expected happens. But there aren't people to blame. It's a system event that is not intuitively graspable in the everyday way we assign blame.

hazel-rah, you seem to be exactly agreeing with ColinABQ. He's implying that the employees don't have a IT security-focused mindset and are more concerned about other things. I think you may have misread something he wrote, unless I'm, in turn, misreading your antagonistic response.

Not meant antagonistically, and my apologies for coming across that way... I will admit the phrases "hardly a high security think tank" and "overestimating people in general" came across as condescending to me, and they probably weren't meant to sound so. So I'll elaborate where I'm coming from a little... people naturally think of this in terms of a personal narrative and focus on how particular employees behaved, and think "how can this have got past them?" or "how could this have happened?"

(Sorry for the major snippage - good post(!), but we're filling pages here)

I admit that my post may have seemed condescending, for which I apologize. I really meant that humans will be humans, sometimes more so than others. Susceptibility to social engineering does, I think, vary with the environment. Combine the environment with the mindset of the humans there, consider their assigned tasks ... and I thought it easier to understand how such things might happen. Arguable, obviously.

How did the hackers retrieve the data...The security enthusiast in me is very curious.

I believe the current state of the art is to use GSM packet data to upload the captured info. Perhaps the delay was to allow the FBI to reverse-engineer the hacked pads and try to trace the hackers' data route.

Those PIN pads are supposed to be secure. Obviously, they're not, if you can replace a working one with a hacked one. This (consumer terminal replaced with hacked one) has been done several times over the past few years, and it's surprising the Verifone firmware hasn't been updated to deal with this "pad switching" exploit.

It will be interesting when the other shoe (a description of the exploit) drops.

As a precaution, the company is recommending that all employees or customers who used a payment card at any Barnes & Noble store change their debit card PIN and review their accounts for any unauthorized transactions.

That's not what the press release says. It says:

Quote:

As a precaution, customers and employees who have swiped their cards at any of the Barnes & Noble stores with affected PIN pads should take the following steps: ...

I'm curious also. Was it as simple as a sleeve like we have seen from previous ATM/Gas Pump pin stealing. Or was this some sort of code they were able to install on the pin pads? If code, how did they install it? Can you install code on these pads by swiping a modified hotel style mag-stripe card?

How did the hackers retrieve the data? If a hardware similar to the ATM/Gas Pump hacks, probably over wifi, but if it was code, did they have access to the B&N network to send it out? The security enthusiast in me is very curious.

No you can not install code on the pads by swiping a mag stripe card (at least on ours you can't)

Thanks. I figured there is probably more security that would make the near impossible, but wouldn't put it past some enterprising hackers to try. The have done some pretty interesting things with NFC & mag-stripe cloning when it was first discussed befere the current generation of security and dynamic CVV was added among other security features.

Is there any information about how specifically the keypads were compromised?

As a consumer I always try to look out for skimmers or anything that looks like it's been added on to the card swiper, but if they're just wholesale replacing the unit w/ one that has hacked innards there isn't really a way a customer can protect themselves from this...

I admit that my post may have seemed condescending, for which I apologize. I really meant that humans will be humans, sometimes more so than others. Susceptibility to social engineering does, I think, vary with the environment. Combine the environment with the mindset of the humans there, consider their assigned tasks ... and I thought it easier to understand how such things might happen. Arguable, obviously.

Thanks to all who replied for your perceptions and insights.

Environment can make a difference. It helps knowing your IT department and authorized vendors, but I'm sure in larger organizations like B&N, it can be hard. In one of my old jobs, there were only 2 of us that made up the whole IT department that did everything for 5 locations. If anything weird came up, our users were pretty good about notifying us. This is not as easy in larger organization where you don’t know everybody.

I went to buy a nook glow about a month ago in one of those states & barnes & noble had turned off all the debit card readers forcing creditcard, check, or cash payments. Looking back I wonder if the disabled debit card scanner things might have been disabled due to "something is weird, lets be safe & turn them off using only the old style register swipe things along with cash/check till we figure it out". Kudo's on them if so, & again for admitting the problem once it was uncovered.

So now we know why B&N suddenly yanked the debit card machines out of their stores. Why did it take so long to explain this? One keypad per store sounds like low odds, until you realize my B&N stores usually only have one of the dozen or so registers open anyway. B&N is a soft target, which shows how desperate criminals are getting. This almost had to be an inside job with someone cooperating to get access to the machines..

I have purchased in person at B&N in Mass. Fortunately I keep a close eye on my CC statements. Just wondering if this is another place where paying with cash would be a better idea.

The press release links to a B&N INC website that gives the info about it...however...the main B&N website doesn't mention it at all, so if you are an ordinary customer you will not know it happened sheesh..

I have purchased in person at B&N in Mass. Fortunately I keep a close eye on my CC statements. Just wondering if this is another place where paying with cash would be a better idea.

The press release links to a B&N INC website that gives the info about it...however...the main B&N website doesn't mention it at all, so if you are an ordinary customer you will not know it happened sheesh..

I'm thinking about the scenario in which no one thinks to question the guy who shows up appropriately dressed, carrying a tool kit and a clip board, has an air of confidence and authority about him, and says, "I'm here to repair/upgrade your [whatever]."

I understand it's important to catch the people doing this but their first priority should have been to tell customers immediately that their information may have been compromised rather than wait for the investigation to play out.

I think law enforcement will (rightly) claim that finding and catching the criminals, or even just having time to understand their MO, will prevent many more future victims. At the cost of this (lesser) pool of victims.

I was discussing a similar issue with a Criminal Justice major and he said increasing the likelihood/surety of getting caught has a much greater deterrent on crime than increasing the severity of the punishment that's imposed. Unfortunately I have no sources to site on this.

If you think it's so easy, I suggest you try to walk behind the counter at McDonald's next time you are there.

Or the floor supervisor is an idiot. Or the cashier is a complete idiot and doesn't notify the chain of command. Having worked in a big box bookstore before, it's entirely possible for a swift-talking dude in the right uniform to gain temporary access to external card terminals by approaching the proper moron.

These stores vendor out repair and maintenance work all the time, so it's common for some random tech from JoeBob's Diagnostics Service to show up with a multimeter and a work order. Often only one employee (the operations manager) is notified ahead of time, and it's not uncommon for a supervisor or two to not get the verbal memo, particularly for employees who work the late shift. And that notice never trickles down to the cashiers.